Scribd Logo
Upload

Welcome to Scribd!

  • Server-Side Web Programming: Introduction To Sessions

    Uploaded by

    Hop Huynh
    34 views24 pages
    Sessions allow servers to maintain stateful information about each user across multiple requests or page visits during a single session. A session ID is assigned to each user and passed back and forth via cookies or URL encoding to associate requests with the correct user session on the server. Session data can be stored on the server and retrieved based on the session ID to maintain user-specific information for the duration of the session. Sessions expire after a period of inactivity to free server resources.

    Original Description:

    Original Title

    Lecture 8

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    Sessions allow servers to maintain stateful information about each user across multiple requests or page visits during a single session. A session ID is assigned to each user and passed back and forth via cookies or URL encoding to associate requests with the correct user session on the server. Session data can be stored on the server and retrieved based on the session ID to maintain user-specific information for the duration of the session. Sessions expire after a period of inactivity to free server resources.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    34 views24 pages

    Server-Side Web Programming: Introduction To Sessions

    Uploaded by

    Hop Huynh
    Sessions allow servers to maintain stateful information about each user across multiple requests or page visits during a single session. A session ID is assigned to each user and passed back and forth via cookies or URL encoding to associate requests with the correct user session on the server. Session data can be stored on the server and retrieved based on the session ID to maintain user-specific information for the duration of the session. Sessions expire after a period of inactivity to free server resources.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 24

    Server-side

    Web Programming
    Lecture 8:
    Introduction to Sessions
    Sessions
    • Session:
    Set of pages submitted by user to accomplish goal
    – Example: Most on-line shopping

    Enter Enter
    Add to cart shipping payment Reciept
    information information
    Need for Session Handling
    • Problem:
    No easy way to associate steps if multiple clients
    – Nothing built into the web allows server to know where a request is
    coming from.
    – Server may have to simultaneously manage thousands of sessions.

    Who submitted this request? 3


    Session Handling
    • Basic steps:
    – Assign each new client unique ID at start of session.
    – Pass ID to client as part of each response
    • Now client knows it as well
    • Stored as cookie by default
    – Client passes ID back to server with subsequent requests
    • Server can associate this request can be associated with initial request.
    – Server stores client data in table indexed by session ID

    Client initial request Server


    session ID created data associated with
    session ID for client this client
    response including
    (stored as session ID
    cookie)
    further requests
    include more
    data + session ID

    4
    Session Handling
    • Sessions can be accessed from both servlet and JSP
    – Servlet: Construct a new session object from the request
    HttpSession session = request.getSession();
    – JSP: Just use built-in session object which Tomcat creates
    from request (like request object)

    request : Server
    Servlet
    form data + session ID
    session ID data
    Construct
    created for associated
    session object
    client with this
    client
    JSP
    Use session
    object
    5
    Creating a New Session
    • Done automatically first time session requested by servlet or JSP
    – HttpSession session = request.getSession();
    in servlet
    – Use of session object in JSP
    • Tomcat:
    – Knows this because no session ID included in request
    – Generates new ID not used for current session (or recent past session)
    – Creates new session table entry for that ID

    Server session ID Client data


    Servlet or JSP session ID Client data
    Access create session ID Client data
    session object session ID Client data
    new session ID No data yet
    Passing Session IDs
    • Automatically included in response sent back to client
    • Stored in cookie on client machine
    – Cookies only data that persist between pages in browser
    – Associated with server domain name, directory, etc.

    Client computer
    Server
    Browser Servlet
    Response or JSP
    Store session ID
    web page + Create
    session ID response
    Cookies
    session ID +
    server name
    Passing Session IDs
    • Automatically included in request sent in future to same
    server
    – All cookie values associated with server sent with request
    – Server now knows who client is!

    Client computer
    Server
    Browser Servlet
    Request = or JSP
    Retrieve session ID
    parameters + Handle
    session ID request
    Cookies
    session ID +
    server name
    Associating Session Data
    • Servlets/JSPs can store data associated with session ID
    • Servlets/JSPs can look up that data in future when
    passed the session ID in request

    Server
    session ID Client data
    Servlet or
    Session session ID Client data
    JSP ID for
    Request lookup
    session ID Client data
    Needs
    including session ID Client data
    session
    session ID session ID Client data
    data
    Client data
    associated with
    session
    Storing Session Data
    • Syntax:
    session.setAttribute(“name”, object);
    – Like parameters, session data stored as name/value pairs
    – Like attributes, can store any Java object
    • Often a “shopping cart” object

    All session data


    … …

    Session ID = Session data


    fieh4K39Rdk name “Fred”
    email “fred@aolrock”

    … …
    Storing Session Data
    Retrieving Session Data
    • Syntax:
    type variable =
    (type)session.getAttribute(“name”);

    – Same syntax as retrieving attribute added to request


    – Since value could be any object, must cast back to original type

    • Will be null if
    – No session created for this client
    – That value not stored for this client
    Retrieving Session Data
    Session Example

    StoreInfo servlet
    creates session and
    “Mai Anh Tho”, stores the information
    tho@hcmuaf.edu.vn in new session
    passed to server

    Session ID = Session data


    fieh4K39Rdk name “Mai Anh Tho”

    email “tho@hcmuaf.edu.vn”
    Session Example
    Cookies
    StoreInfo servlet
    ID= fieh4K39Rdk adds session ID to
    server=www.widgets.com
    response

    Session ID

    getQuantity JSP
    Response =
    sends session ID to
    page + client as part of page
    Session ID
    Session Example
    Cookies

    ID= fieh4K39Rdk
    server=www.widgets.com

    Sending request to
    www.widgets.com, so
    retrieve its cookies

    Server at
    quantity=27& www.widgets.com
    ID= fieh4K39Rdk
    submitted in request
    Session Example

    Reciept JSP
    retrieves information
    quantity=27&
    ID= fieh4K39Rdk associated with the
    session ID and inserts
    submitted in request into the response page

    Session ID = Session data


    fieh4K39Rdk name “Mai Anh Tho”

    email “tho@hcmuaf.edu.vn”
    URL Encoding
    • Many users disable cookies!
    – Often default in some browsers
    – Need alternative way of storing session information on server

    Solution:
    • Pass session ID to the client as part of every response
    • Insure that client sends that session ID back to the
    server as part of every request
    • Since you have no way of knowing whether user has
    cookies, you must do this!
    URL Encoding
    • Syntax:
    <form action=
    “<%= response.encodeURL(“url”) %>”
    method=…> Page being
    requested

    • If browser detects cookies not enabled, it appends the


    session ID to the request
    – Like other form data
    Session Expiration
    • Can set time until session expiration
    – Property of web.xml file

    • Session expires if no request within time limit


    – Session inactive
    – Session id and all attributes destroyed
    – Request for session attributes returns null
    Sessions for Access Control
    • Users can skip pages in a sequence
    – Bookmarked page in middle

    Goal:
    Prevent users from directly going to other
    pages without first going to initial page
    Sessions for Access Control
    Solution:
    • Set session attribute at servlet called from first page
    – Use this in other pages to determine whether initial page
    requested in this session
    Sessions for Access Control
    • All other JSPs test whether attribute is null
    • If so, redirect to another page
    – Initial page in sequence
    – Error page telling session has expired
    • Syntax for redirection from JSP:
    <jsp:forward page=”url to forward to”/>
    Sessions for Access Control

    Attempt to start here

    Redirected here

    You might also like